This chapter is from the book

This chapter is from the book

Upon completion of this chapter, you will be able to perform the following
tasks:

Describe the Features and Architecture of Cisco Secure ACS 3.0 for
Windows 2000/NT Servers (Cisco Secure ACS for Windows)

Configure Cisco Secure ACS for Windows to Perform AAA Functions

Describe the Features and Architecture of Cisco Secure ACS 2.3 for
UNIX

Configure the Perimeter Router to Enable AAA Processes to Use a TACACS
Remote Service

This chapter covers Cisco Secure ACS 3.0 for Windows 2000/NT Servers (Cisco
Secure ACS for Windows) and Cisco Secure ACS for UNIX (Solaris). The Windows
2000 version has the most coverage in this chapter. The configuration of the
Windows 2000 product is covered as a high-level overview. This chapter also
covers the security services of TACACS+, RADIUS, and Kerberos.

This chapter includes the following topics:

Introduction to Cisco Secure ACS for Windows

Product overview: Cisco Secure ACS for Windows

Product overview: Cisco Secure ACS for UNIX (Solaris)

Installing Cisco Secure ACS for Windows

Administering and troubleshooting Cisco Secure ACS for Windows

TACACS+ overview and configuration

Verifying TACACS+

RADIUS configuration overview

Kerberos overview

Cisco Secure ACS Introduction

This section presents an introduction to the Cisco Secure ACS offerings shown
in Figure 3-1, including the following products:

Cisco Secure ACS for Windows

Cisco Secure ACS for UNIX

The next three sections discuss each of the Cisco Secure ACS product
offerings.

Cisco Secure ACS for Windows

Cisco Secure ACS for Windows is a network security software application that
helps you control access to the campus network, dial-in access, and the
Internet. Cisco Secure ACS for Windows operates as Windows NT or Windows 2000
services and controls authentication, authorization, and accounting (AAA) of
users accessing the network.

This section presents an overview of the product and prepares you to install
and configure Cisco Secure ACS for Windows.

Cisco Secure ACS for Windows provides AAA services to network devices that
function as AAA clients, such as routers, network access servers, PIX
Firewalls, and VPN 3000 Concentrators. An AAA client is any device that provides
AAA client functionality and uses one of the AAA protocols supported by Cisco
Secure ACS for Windows. It also supports third-party devices that can be
configured to use TACACS+ or RADIUS protocols. Cisco Secure ACS for Windows
treats all such devices as AAA clients. Cisco Secure ACS for Windows uses the
TACACS+ and RADIUS protocols to provide AAA services that ensure a secure
environment.

Cisco Secure ACS for Windows helps to centralize access control and
accounting, in addition to router and switch access management. With Cisco
Secure ACS for Windows, network administrators can quickly administer accounts
and globally change levels of service offerings for entire groups of users.
Although the use of an external user database is optional, support for many
popular user repository implementations enables companies to use the working
knowledge gained from and the investment already made in building the corporate
user repositories.

Cisco Secure ACS for Windows is an easy-to-use ACS that is simple to install
and administer. It runs on the popular Windows NT Server 4.0 (SP5 or 6) or 2000
Server (SP 1 or 2) Microsoft operating systems. The Cisco Secure ACS for Windows
administration interface is viewed using supported web browsers, making it easy
to administer.

Different levels of security can be used with Cisco Secure ACS for Windows
for different requirements. The basic user-to-network security level is Password
Authentication Protocol (PAP). Although it does not represent the highest form
of encrypted security, PAP does offer convenience and simplicity for the client.
PAP allows authentication against the Windows NT or Windows 2000 database. With
this configuration, users need to log in only a single time. Challenge Handshake
Authentication Protocol (CHAP) allows a higher level of security for encrypting
passwords when communicating from a client to the network access server. You
can use CHAP with the Cisco Secure ACS for Windows user database. Microsoft
CHAP (MS-CHAP) is a version of CHAP that was developed by Microsoft to work more
closely with the Microsoft Windows operating system.

PAP, CHAP, and MS-CHAP are authentication protocols that are used to encrypt
passwords. However, each protocol provides a different level of security:

PAPUses clear-text passwords and is the least sophisticated
authentication protocol. If you are using the Windows NT or Windows 2000
user database to authenticate users, you must use PAP password
encryption.

CHAPUses a challenge-response mechanism with one-way
encryption on the response. CHAP lets Cisco Secure ACS for Windows negotiate
downward from the most secure to the least secure encryption mechanism, and it
protects passwords transmitted in the process. CHAP passwords are reusable. If
you are using the Cisco Secure ACS for Windows user database for authentication,
you can use either PAP or CHAP.

The MS-CHAP response packet is in a format that is compatible with
Microsoft Windows and LAN Manager 2.x. The MS-CHAP format does not require the
authenticator to store a clear-text or reversibly encrypted password.

Although Cisco Secure ACS for Windows can function on a BDC or PDC, Cisco
SAFE practices recommend placing the application on a standalone server to
separate the services of one authentication server from another. Doing so
will improve the security posture by making it potentially more difficult for an
attacker to penetrate multiple devices.

VPN and Virtual Private Dialup Network (VPDN) support is available at the
origination and termination of VPN (L2F) tunnels

User restrictions can be based on remote address Calling Line
Identification (CLID)

Can disable an account on a specific date or after "n" failed
attempts

Administration Features

Cisco Secure ACS for Windows has many user-friendly administration features,
such as:

Browser-based GUI allows management from a web browser via a LAN or by
dialing in. Simplifies and distributes configuration for ACS, user profiles, and
group profiles:

Help and online documentation is included for quick problem solving
and access from a web browser (The browser does not use SSL; it uses CSAdmin
running as a Windows service to provide the website for ACS)

Permits group administration of users for maximum flexibility and
to facilitate enforcement and changes of security policies

Remote administration can be permitted/denied by using a unique
administration username/password

Distributed System Features

As shown in Figure 3-3, Cisco Secure ACS for Windows can be used in a
distributed system. Multiple Cisco Secure ACS for Windows servers and AAA
servers can be configured to communicate with one another as masters, clients,
or peers. Cisco Secure ACS for Windows also recognizes network access
restrictions of other Cisco Secure ACS for Windows servers on the distributed
network.

Cisco Secure ACS for Windows allows you to use powerful features, such
as:

Authentication forwardingAuthentication forwarding allows
the Cisco Secure ACS for Windows to automatically forward an authentication
request from a network access server to another Cisco Secure ACS for Windows.
After authentication, authorization privileges are applied to the network access
server for that user authentication.

Fallback on failed connectionYou can configure the order in
which Cisco Secure ACS for Windows checks the remote Cisco Secure ACS for
Windows servers if the network connection to the primary Cisco Secure ACS for
Windows server fails. If an authentication request cannot be sent to the first
listed server, the next listed server is checked, in order down the list, until
a Cisco Secure ACS for Windows server handles the authentication. If Cisco
Secure ACS for Windows cannot connect to any of the servers on the list,
authentication fails.

Remote and centralized accountingCisco Secure ACS for
Windows can be configured to point to a centralized Cisco Secure ACS for Windows
that is used as the accounting server. The centralized Cisco Secure ACS for
Windows will still have all the capabilities that a Cisco Secure ACS for
Windows server has, with the addition of being a central repository for all
accounting logs that are sent.

External Database Support

You can configure Cisco Secure ACS for Windows to forward authentication of
users to one or more external user databases. Support for external user
databases means that Cisco Secure ACS for Windows does not require that you
create duplicate user entries in the Cisco Secure user database. Users can
be authenticated using any of the following:

Windows NT or Windows 2000 user database

LDAP

NDS

Open Database Connectivity (ODBC)compliant relational
databases

LEAP Proxy RADIUS servers

Symantec (AXENT) Defender token servers

Secure Computing SafeWord token servers

RSA SecurID token servers

RADIUS-based token servers, including:

ActivCard token servers

CRYPTOCard token servers

VASCO token servers

Generic RADIUS token servers

Regardless of which database is used to authenticate users, the Cisco Secure
user database, internal to Cisco Secure ACS for Windows, authorizes requested
network services.

Cisco Secure ACS for Windows requires an application program interface (API)
for third-party authentication support. Cisco Secure ACS for Windows
communicates with the external user database using the API. For Windows NT or
Windows 2000, Generic LDAP, and Novell NDS authentication, the API for the
external authentication is local to the Cisco Secure ACS for Windows system and
is provided by the local operating system. In these cases, no further components
are required.

In the case of ODBC authentication sources, in addition to the Windows ODBC
interface, the third-party ODBC driver must be installed on the Cisco Secure ACS
for Windows server.

To communicate with each traditional token server, you must have software
components provided by the OTP vendors installed, in addition to the Cisco
Secure ACS for Windows components. You must also specify in User Setup that a
token card server be used.

For RADIUS-based token servers, such as those from ActivCard, CRYPTOCard, and
VASCO, the standard RADIUS interface serves as the third-party API.

Database Management Features

Two utilities, Database Replication and Relational Database Management System
(RDBMS) Synchronization, are provided with Cisco Secure ACS for Windows. These
utilities help automate the process of keeping your Cisco Secure ACS for Windows
database and network configuration current. A third utility, CSUtil.exe, allows
for database backup and restore functionality.

Figure 3-4 shows a typical installation that can support Database
Replication, RDBMS Synchronization, and ODBC import. These three topics will be
discussed in the following sections.

Database Replication is a powerful feature that is designed to simplify the
construction of a fault-tolerant AAA service environment based on the Cisco
Secure ACS for Windows. The primary purpose of Database Replication is to
provide the facility to replicate various parts of the setup on a Cisco Secure
ACS for Windows master server to one or more Cisco Secure ACS for Windows client
systems, allowing the administrator to automate the creation of mirror systems.
These mirror systems can then be used to provide server redundancy as fallback
or secondary servers to support fault-tolerant operation if the master or
primary system fails.

Do not confuse Database Replication with database/system backup. Database
Replication is not a complete replacement for database backup. You should
still have a reliable database backup strategy to ensure data integrity.

RDBMS Synchronization

RDBMS Synchronization is an integration feature designed to simplify
integration of Cisco Secure ACS for Windows with a third-party RDBMS
application. RDBMS Synchronization automates synchronization with an SQL,
Oracle, or Sybase RDBMS data source by providing the following
functions:

Specification of an ODBC data source to use for synchronization data that
is shared by Cisco Secure ACS for Windows and the other RDBMS application and to
provide control of the Cisco Secure ACS for Windows updates to an external
application

Control of the timing of the import/synchronization process, including
the creation of schedules

Control of which systems are to be synchronized

The RDBMS Synchronization feature has two components:

CSDBSyncCSDBSync is a dedicated Windows NT or Windows 2000
service that performs automated user and group account management services for
Cisco Secure ACS for Windows.

ODBC data store (table)This table specifies the record
format. Each record holds user or group information that corresponds with
the data stored for each user in the Cisco Secure ACS for Windows database.
Additionally, each record contains other fields, including an action code
for the record. Any application can write to this table, and CSDBSync reads
from it and takes actions on each record that it finds in the table
(for example, add user, delete user, and so on) as determined by the action
code.

ODBC Import Definitions

Cisco Secure ACS for Windows supports the import of data from ODBC-compliant
databases, such as Microsoft Access or Oracle. Importing is done with a single
table to import user/group information into one or more ACS servers.

The CSAccupdate service processes the table and updates local/remote ACS
installations according to its configuration.

Windows Architecture

Cisco Secure ACS for Windows provides AAA services to multiple NASs or
perimeter routers. It includes seven service modules, as shown in Figure
3-5.

Each module can be started and stopped individually from within the Microsoft
Service Control Panel or as a group from within the Cisco Secure ACS for Windows
browser interface.

Cisco Secure ACS for Windows installs the following Windows services on your
server:

Administration service (CSAdmin)Cisco Secure ACS for Windows
is equipped with its own internal web server. After Cisco Secure ACS for
Windows is installed, you must configure it from its HTML/Java interface, which
requires CSAdmin to always be enabled.

Authentication and authorization service (CSAuth)The primary
responsibility of Cisco Secure ACS for Windows is the authentication and
authorization of requests from devices to permit or deny access to a
specified user. CSAuth is the service that is responsible for determining
whether access should be granted and for defining the privileges associated with
that user. CSAuth is the database manager.

TACACS service (CSTacacs) and RADIUS service (CSRadius)These
services communicate between the CSAuth module and the access device that is
requesting the authentication and authorization services. CSTacacs is used
to communicate with TACACS+ devices and CSRadius is used to communicate with
RADIUS devices. Both services can run simultaneously. When only one security
protocol is used, only the respective service needs to be running.

Logging service (CSLog)CSLog is the service that is used to
capture and place logging information. CSLog gathers data from the TACACS+ or
RADIUS packet and CSAuth and manipulates the data to be put into the CSV
files. The CSV files are created daily starting at midnight.

CSDBSync serviceThis service performs automated user and
group account management services for Cisco Secure ACS for Windows. CSDBSync is
the service that is used to synchronize the Cisco Secure ACS for Windows
database with third-party RDBMSs and is an alternative to using the ODBC dynamic
link library (DLL). Starting with Version 2.4, CSDBSync synchronizes AAA client,
AAA server, network device groups (NDGs), and Proxy Table information with data
from an external relational database.

CSMonCSMon is the Cisco Secure ACS for Windows
self-monitoring and self-correcting service. CSMon works for both TACACS+ and
RADIUS and automatically detects which protocols are in use. CSMon facilitates
minimum downtime in a remote access network environment by performing four basic
activities:

MonitoringMonitors the overall status of Cisco Secure
ACS for Windows and the host server on which it is running. CSMon monitors the
generic host system state, application-specific performance, and system resource
consumption by Cisco Secure ACS for Windows.

RecordingRecords and reports all exceptions to the
CSMon Log or the Windows Event Log.

NotificationAlerts the administrator to potential
problems and real events regarding Cisco Secure ACS for Windows and records the
activity. CSMon can be configured to send messages concerning exception events,
responses, and the outcomes of response actions.

ResponseAttempts to automatically and intelligently
fix detected problems. CSMon can respond to warning events and failure events by
taking either predefined actions or customer-definable actions.

Using the ACS Database

Using either the TACACS+ or the RADIUS protocol, the network access server
directs all dial-in user access requests to Cisco Secure ACS for Windows
for authentication and authorization of privileges, which verifies the username
and password. Cisco Secure ACS for Windows then returns a success or failure
response to the network access server, which permits or denies user access. When
the user has been authenticated, Cisco Secure ACS for Windows sends a set of
authorization attributes to the network access server, and then the accounting
functions take effect.

Referring to the numbers shown in Figure 3-6, when the Cisco Secure ACS for
Windows user database is selected, the following service and database
interaction occurs:

TACACS+ or RADIUS service directs the request to the Cisco Secure ACS
Authentication and Authorization Windows NT or Windows 2000 service.

The request is authenticated against the Cisco Secure ACS for Windows
user database, associated authorizations are assigned, and accounting
information is logged to the Cisco Secure ACS Logging service.

The Windows NT or Windows 2000 user database does not authenticate the
user to permit dial. The user must log in to Windows NT or Windows 2000 once the
dialup AAA process is complete.

Cisco Secure ACS for Windows uses a built-in user database that is a
hash-indexed flat file. This type of file is not searched from the top of a
text file as typically associated with the term flat file, but instead is
indexed like a database. The hash-indexed flat file builds an index and tree
structure so that searches can occur exponentially, which enables the Cisco
Secure ACS for Windows user database to rapidly authenticate users.

Using the Cisco Secure ACS for Windows user database requires you to manually
enter the usernames. However, after the usernames exist in the Cisco Secure ACS
for Windows user database, administration is easier than using the Windows NT or
Windows 2000 user database. The Cisco Secure ACS for Windows user database
supports authentication for PAP, CHAP, and MS-CHAP.

Using Windows User Database

Figure 3-7 shows the flow of the steps used when you elect to use the Windows
NT or Windows 2000 user database for authentication and authorization.

Following the numbers shown in Figure 3-7, when Cisco Secure ACS for Windows
uses the Windows NT or Windows 2000 user database for AAA, the following service
and database interaction occurs:

TACACS+ or RADIUS service directs the request to the Cisco Secure ACS
Authentication and Authorization service.

The username and password are sent to the Windows NT or Windows 2000 user
database for authentication.

If approved, Windows NT or Windows 2000 grants dial permission as a local
user.

A response is returned to Cisco Secure ACS for Windows and authorizations
are assigned.

Confirmation and associated authorizations assigned in Cisco Secure ACS
for Windows for that user are sent to the network access server. Accounting
information is logged.

An added benefit of using the Windows NT or Windows 2000 user database is
that the username and password that are used for authentication are the same
that are used for network login. As such, you can require users to enter their
username and password once, for the convenience of a simple, single
login.

Token Card Support

Cisco Secure ACS for Windows supports several third-party token servers, such
as RSA SecurID, Secure Computing SafeWord, Symantec (AXENT) Defender, and any
hexadecimal X.909 token card such as CRYPTOCard. As shown in Figure 3-8, for
some token servers, Cisco Secure ACS for Windows acts as a client to the
token server.

For others, it uses the token server's RADIUS interface for
authentication requests. As with the Windows NT or Windows 2000 database, after
the username is located in the Cisco Secure user database, CSAuth can check the
selected token server to verify the username and token-card password. The token
server then provides a response, approving or denying validation. If the
response is approved, CSAuth knows that authentication should be granted for the
user.

Cisco Secure ACS for Windows can support token servers using the RADIUS
server that is built into the token server. Rather than using the vendor's
proprietary API, Cisco Secure ACS for Windows sends standard RADIUS
authentication requests to the RADIUS authentication port on the token server.
The token servers that are supported through their RADIUS servers are those from
ActivCard, CRYPTOCard, VASCO, PassGo Technologies, RSA Security, and Secure
Computing.

NOTE

Before Cisco Secure ACS 3.0.1, support for CRYPTOCard token servers used the
vendor-proprietary interface provided with the CRYPTOCard token server.

Cisco Secure ACS for Windows also supports any token server that is a RADIUS
server compliant with IETF RFC 2865. So, in addition to the RADIUS-enabled token
server vendors that are explicitly supported, this enables you to use any token
server that supports RADIUS-based authentication.

You can create multiple instances of each of these token server types in
Cisco Secure ACS for Windows.

Versions 3.1 and 3.2 Enhancements

Cisco is constantly upgrading and enhancing hardware and software products,
and Cisco Secure ACS for Windows is no exception. You can always find the latest
version information at Cisco's website. This section looks at some of
the important new features that have been added to Cisco Secure ACS for Windows
by versions 3.1 and 3.2.

The following are the Cisco Secure ACS for Windows version 3.1 product
enhancements:

SSL support for administrative accessSSL can be used to
secure administrative access to the Cisco Secure ACS for Windows HTML
interface.

Change Password (CHPASS) improvementsCisco Secure ACS for
Windows allows you to control whether network administrators can change
passwords during Telnet sessions that are hosted by TACACS+ AAA clients.

Improved IP pool addressingTo reduce the possibility of
allocating an IP address that is already in use, Cisco Secure ACS for Windows
uses the IETF RADIUS Class attribute as an additional index for user
sessions.

Cisco Secure ACS for UNIX (Solaris)

Cisco Secure ACS for UNIX is used to authenticate users and determine which
internal networks and services they may access. By authenticating users against
a database of user and group profiles, Cisco Secure ACS for UNIX effectively
secures private enterprise and service provider networks from unauthorized
access.

Token cards from CRYPTOCard, Secure Computing Corporation, and RSA Security
are supported. Token cards are the strongest available method to authenticate
users dialing in and to prevent unauthorized users from accessing proprietary
information. Cisco Secure ACS for UNIX now supports industry-leading
relational database technologies from Sybase, Inc. and Oracle Corporation.
Traditional scalability, redundancy, and nondistributed architecture limitations
are removed with the integration of relational database technologies, such as
Sybase's SQLAnywhere. Storage and management of user and group profile
information is greatly simplified.

General Features

Security is an increasingly important aspect of the growth and proliferation
of LANs and WANs. You want to provide easy access to information on your
network, but you also want to prevent access by unauthorized personnel. Cisco
Secure ACS for UNIX is designed to help ensure the security of your network and
track the activity of people who successfully connect to your network. Cisco
Secure ACS for UNIX uses the TACACS+ protocol to provide this network security
and tracking.

TACACS+ uses AAA to provide network access security and enable you to control
access to your network from a central location. Each facet of AAA significantly
contributes to the overall security of your network, as follows:

Authentication determines the identity of users and whether they should
be allowed access to the network.

Authorization determines the level of network services available to
authenticated users once they are connected.

Accounting keeps track of each user's network activity.

AAA within a client or server architecture (in which transaction
responsibilities are divided into two parts: client [front end], and server
[back end]) allows you to store all ecurity information in a single,
centralized database instead of distributing the information around the network
in many different devices.

For further information on AAA, see the section titled "Introduction to
AAA for Cisco Routers" in Chapter 2, "Basic Cisco Router
Security."

You can use Cisco Secure ACS for UNIX to make changes to the database that
administers security on your network on a few security servers instead of making
changes to every NAS in your network.

Using Cisco Secure ACS for UNIX, you can expand your network to accommodate
more users and provide more services without overburdening system administrators
with security issues. As new users are added, system administrators can make a
small number of changes in a few places and still ensure network security.

Cisco Secure ACS for UNIX can be used with the TACACS+ protocol, the RADIUS
protocol, or both. Some features are common to both protocols, while other
features are protocol-dependent.

Cisco Secure ACS for UNIX has the following features when used with either
the TACACS+ or RADIUS protocol:

Support for use of common token card servers, including those from
CRYPTOCard, Secure Computing (formerly Enigma Logic), and RSA Security